Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Local GLM OCR with llama.cpp on AIPC(no API Key)
v1.0.3Image OCR, text recognition, extract text from image, scan document, read image text, invoice OCR, receipt OCR, contract recognition, table extraction, busin...
⭐ 1· 98·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (local GLM OCR via llama.cpp) matches the instructions: download/verify llama-cli (llama.cpp) and the GLM-OCR model, prepare a working directory, and run local inference. No unrelated credentials or services are requested.
Instruction Scope
The SKILL.md contains step-by-step PowerShell commands to create directories, download/extract binaries and model files, optionally auto-install Miniforge, validate SHA256 checksums, and run local inference. This is within the OCR scope, but the instructions will execute downloaded executables and modify files in %USERPROFILE% (and may install Python). The file explicitly recommends manual review and checksum verification, which is good practice.
Install Mechanism
This is an instruction-only skill (no install spec). Downloads come from GitHub releases, HuggingFace (or an HF mirror), and possibly modelscope.cn; Miniforge is from conda-forge. These are expected sources for this task, but downloading and executing a prebuilt llama-cli executable and large model files is higher-risk behavior than purely local operations. The SKILL.md claims to validate SHA256 hashes before extraction — a mitigating control if actually performed.
Credentials
No required environment variables or credentials are declared. The SKILL.md mentions an optional HUGGINGFACE_TOKEN (only needed for gated models) and allows a user-specified Python path; these are reasonable and proportional. The skill will create an OCR_DIR and may install Miniforge into the user's profile (expected for running huggingface_hub).
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or global agent settings. It will persist files (models, binaries, and possibly a local Miniforge install) to a user directory, which is expected for a local OCR tool.
Assessment
This skill appears to do what it says (set up a local llama.cpp-based OCR). However it downloads and executes binaries and may install Python into your user profile. Before installing or allowing autonomous execution: 1) Inspect the full PowerShell steps in SKILL.md and prefer running them yourself rather than giving the agent control. 2) Verify SHA256 checksums of downloaded llama-cli and model files against the official project pages before extracting or running. 3) Prefer the official hosts (github.com and huggingface.co); be cautious about mirrors (e.g., modelscope.cn) unless you trust them. 4) Do not set HUGGINGFACE_TOKEN unless required, and treat it as secret. 5) Run the setup from a non-admin account or in an isolated environment (VM or sandbox) if you have any doubt. If you want a higher-assurance assessment, provide the full (untruncated) SKILL.md PowerShell steps so I can check for any commands that read unrelated files, export secrets, or contact unexpected endpoints.Like a lobster shell, security has layers — review code before you run it.
latestvk97a5a4tej14551cc2ej5wvkp1838z8j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.